[00:02.160 --> 00:10.220]  This is a secret message. Its contents are known only by me. I'll put it away safely and securely.
[00:10.960 --> 00:23.120]  Now when you have some information that you wish communicated to only specific parties, be it a pen test report or your Netflix credentials, how would you ensure only your intended target was able to receive the message?
[00:23.120 --> 00:29.980]  I hope for everyone watching today the answer is either some form of cryptographic solution or sod off I'm not showing my Netflix.
[00:29.980 --> 00:36.160]  As I'm sure many of you are aware, there is a looming technology that is set to change the landscape of cryptography.
[00:36.960 --> 00:40.960]  Quantum computers. They will force a change that's already begun.
[00:41.060 --> 00:52.220]  Although the NTSC, for example, predict that quantum computers won't be cryptographically relevant for another 10 years, the drive to move to cryptographic standards resistant to this new threat has already begun.
[00:52.220 --> 01:01.880]  In this talk, we will provide an introduction to this cutting edge field, discuss paradigms for security testing and the types of things to look for when offering remediation advice.
[01:02.100 --> 01:09.920]  Quantum cryptography and quantum resistant cryptography are set to play increasing roles within our industry and jobs in the next few years.
[01:10.600 --> 01:14.600]  So before we begin, it probably makes a little bit of sense for me to introduce myself.
[01:14.600 --> 01:19.720]  My name is Imran and I have MSc in theoretical physics from the University of Nottingham.
[01:19.720 --> 01:23.100]  In particular, my area of study was gravity particles and fields.
[01:23.100 --> 01:26.860]  And my dissertation was on error correcting codes in quantum computers.
[01:26.860 --> 01:29.820]  So this is a subject that is near and dear to my heart.
[01:29.960 --> 01:36.540]  During my studies, I participated in online bug bounty programs and found a P2 in a Fortune 10 company.
[01:36.720 --> 01:43.440]  Largely because of this, I was part of the group awarded the Bug Crowd 2017 VIP Researcher Accolade.
[01:43.440 --> 01:52.780]  It was at this point that my interest in cybersecurity transitioned from something of a fun hobby to something I wanted to pursue full time.
[01:52.920 --> 01:57.080]  And because of that, I started actively looking for jobs within the industry.
[01:57.080 --> 02:05.940]  I was fortunate enough to be able to join Cybrus in January of 2018 and have been happily working as a security consultant ever since.
[02:06.040 --> 02:09.280]  Okay, now with that out the way, let's get going.
[02:09.280 --> 02:15.020]  So to begin the discussion on quantum information, we've got to first look at classical information theory,
[02:15.020 --> 02:23.300]  which largely originates from Shannon's seminal 1948 paper, in which he puts forward two really important points for our talk today.
[02:23.300 --> 02:28.340]  The first is the concept of entropy, which can be thought of, amongst other things, as a measure of information.
[02:28.440 --> 02:36.700]  And the second is that it's possible to communicate reliably over noisy channels, provided that the rate of communication is less than the channel capacity.
[02:36.700 --> 02:45.020]  Now, quantum information begins with the idea that quantum systems are the ultimate physical medium for storing and processing of information.
[02:45.160 --> 02:51.860]  It tries to extend Shannon's theory by replacing bits of information with generic 2D quantum systems called qubits,
[02:52.220 --> 02:55.980]  and classical channels by their noisy quantum channel counterparts.
[02:56.480 --> 03:03.640]  In quantum cryptography, much like in classical cryptography, one would like to transmit or share information securely.
[03:03.640 --> 03:12.640]  Except now we try and leverage the fundamental properties of our universe, such as the fact that quantum states cannot be learned without being disturbed, in order to do so.
[03:13.680 --> 03:19.580]  So, before we start talking about quantum computers, let's have a quick recap on classical computers.
[03:19.580 --> 03:29.360]  Now we know that information is stored in bits, 1s and 0s, and if storing one number takes 64 bits, then storing n numbers would take 64 times n bits.
[03:29.360 --> 03:33.000]  Calculations are done essentially the same way as they are by hand.
[03:33.080 --> 03:38.100]  And as such, the class of problems that can be solved efficiently are the same as those that can be solved by hand,
[03:38.100 --> 03:44.140]  where efficiency is referring to the idea that the evaluation time doesn't grow too quickly with the size of the input.
[03:45.520 --> 03:51.900]  Now with quantum computers, information is also stored in bits, except now they're quantum bits, or qubits.
[03:52.020 --> 03:55.760]  A qubit can be in a state of 0 and 1, much like a classical bit.
[03:55.760 --> 04:02.000]  However, it can also be in a superposition of these states, a0 plus b1, where a and b are complex numbers.
[04:02.120 --> 04:07.800]  We use complex numbers as they provide benefits in the calculation and comprehension of qubit states,
[04:07.800 --> 04:12.440]  such as the ability to map states to positions on a sphere, as shown in the image.
[04:13.440 --> 04:23.040]  So where a bit can either exist as a 0 or a 1, a qubit can exist in a continuum of states, confined by the boundary of the sphere, with poles at 0 and 1.
[04:23.040 --> 04:29.280]  Calculations are performed by mathematical operations, called unitary transformations, on the state of the qubits.
[04:29.400 --> 04:35.900]  When combined with the principles of superposition, this creates possibilities not available for hand calculations,
[04:35.900 --> 04:42.460]  which translates into more efficient algorithms for factoring, searching, and simulation of quantum mechanical systems.
[04:42.480 --> 04:45.480]  It also allows for more information to be stored in a qubit.
[04:45.480 --> 04:50.500]  For every extra qubit you get, you get twice as many numbers that you're able to store.
[04:51.620 --> 04:59.860]  So, if it takes 1 qubit to store 2 numbers, for example, it'd take 2 qubits to store 4, or 3 qubits to store 8.
[04:59.860 --> 05:06.780]  In fact, there's an equation there on that graph, that if manipulated, will tell you exactly how many qubits you'd need to store n numbers.
[05:06.780 --> 05:09.580]  I'll leave that as a little puzzle for the mathematically inclined.
[05:10.200 --> 05:16.700]  But the takeaway message is that the more qubits you add to the system, the greater the storage capacity,
[05:16.700 --> 05:22.280]  and by an exponential amount. It's not a linear increase in storage, but an exponential one.
[05:23.580 --> 05:27.660]  So, quantum computers, they sound amazing, but are they better at everything?
[05:27.660 --> 05:34.780]  Well, quantum computers utilise quantum mechanics to solve certain problems much faster than is possible with a classical computer.
[05:34.980 --> 05:37.720]  Quantum mechanics relies on the principles of probability.
[05:37.880 --> 05:45.400]  In quantum mechanics, we depend on numbers called probability amplitudes, which can be positive, negative, or complex numbers.
[05:46.180 --> 05:54.880]  A simplification of the process is that we try and orchestrate it so that some wrong answers have positive amplitudes, whilst others have negative amplitudes.
[05:54.880 --> 05:58.920]  That way, they destructively interfere and cancel each other out.
[05:58.920 --> 06:07.140]  Now, this is made more complicated by the fact that we don't know what the wrong answers are ahead of time, and so coding such things is non-trivial.
[06:07.140 --> 06:09.960]  However, this is loosely how the process works.
[06:10.740 --> 06:18.960]  In general, problems that can utilise parallelism, the ability to split a problem into several parts and then solve them all simultaneously,
[06:18.960 --> 06:23.180]  are problems that will benefit from the gains quantum computers have to offer.
[06:23.300 --> 06:31.020]  Problems like prime number factorisation, or finding the most efficient route through a complicated city grid, are great candidates,
[06:31.020 --> 06:35.100]  whereas you're unlikely to see much of an FPS increase in your favourite video games.
[06:35.100 --> 06:37.440]  So, apologies to any Fortnite fans.
[06:37.960 --> 06:40.900]  So, where are we currently with quantum computers?
[06:40.940 --> 06:45.700]  Well, the largest gate-model processor was released by Google, and it's called Bristlecone.
[06:45.740 --> 06:54.220]  It weighs in at about 72 qubits, and whilst there are far larger quantum annealing processors, which are designed to solve a very specific set of problems,
[06:54.220 --> 07:01.080]  gate-model processors are what most people think of when they think of quantum computers, and are applicable to a wider set of problems.
[07:01.080 --> 07:04.100]  They are considered universal quantum computers.
[07:04.100 --> 07:10.640]  We also have our first commercial quantum computer, released by IBM, and called the Q-System-1.
[07:10.640 --> 07:12.480]  It weighs in at 20 qubits.
[07:12.480 --> 07:21.200]  Mr Morimoto, director of IBM Research Tokyo, and global VP, said IBM intends to commercialise quantum computers within three to five years,
[07:21.200 --> 07:26.500]  when he expects quantum computers to be able to outperform supercomputers in specific domains.
[07:26.500 --> 07:31.060]  So, this first commercial system can be taken as a bit of a statement of intent.
[07:32.940 --> 07:39.400]  UNSW Sydney have succeeded in producing a qubit that functions at 1.5 Kelvin.
[07:39.540 --> 07:43.920]  Now, this is many times warmer than common quantum processors that are currently developed,
[07:43.920 --> 07:51.920]  and it may enable integrating classical control electronics within a qubit array, which would end up reducing costs substantially.
[07:52.040 --> 07:58.620]  The cooling requirements necessary for quantum computing have traditionally been one of the toughest roadblocks for the field so far.
[07:59.480 --> 08:07.960]  And a research breakthrough has succeeded in showing experimental evidence for a new state of matter, topological superconductivity.
[08:08.160 --> 08:09.500]  Catchy, I know.
[08:09.620 --> 08:19.160]  Whilst the emergence of this state has been seen in 2D systems so far, it is believed that the system could be scalable and used for the construction of qubits,
[08:19.160 --> 08:23.780]  yielding the potential for increased calculation speeds and boosted storage.
[08:23.780 --> 08:31.140]  Finally, IBM's Q Experience and Amazon Bracket have effectively brought quantum computers to your home.
[08:31.140 --> 08:38.200]  With cloud quantum computing, this allows for experiments to be run on quantum systems and simulators available to the public.
[08:38.280 --> 08:45.040]  The cloud promises to facilitate great strides in quantum-related fields by allowing more people access to the technology.
[08:45.940 --> 08:52.460]  This is a really exciting development, and it's something we'll look at a little bit more closely later on in this presentation.
[08:52.460 --> 08:57.380]  So that's a bit about quantum computers. But what's this all got to do with cryptography?
[08:57.640 --> 09:03.360]  Well, again, it probably makes sense to start with classical cryptography before we start talking about quantum cryptography.
[09:03.360 --> 09:08.800]  And I appreciate there may be many people watching who know a great deal more about classical cryptography than I do.
[09:08.800 --> 09:12.120]  So I apologize if this is a bit like teaching grandma to suck eggs.
[09:12.120 --> 09:15.720]  But I think it's important we all start from the same page before going forward.
[09:15.720 --> 09:19.700]  So we've kind of all got the same sort of grounding about what we're going to be discussing.
[09:19.700 --> 09:22.740]  So what's the goal with classical cryptography?
[09:22.880 --> 09:27.860]  Well, we want to allow secure communications of secret messages over public channels.
[09:27.860 --> 09:30.620]  And this can be accomplished in a number of ways.
[09:31.340 --> 09:42.120]  We could use the one-time pad algorithm, for example, in which two parties, A and B, or Alice and Bob, use a one-time pre-shared key to encrypt information.
[09:42.380 --> 09:49.000]  An issue with this approach is that of secure key distribution, which has historically made it impractical for most applications.
[09:49.000 --> 09:50.960]  So what are some alternatives?
[09:50.960 --> 09:54.540]  Well, a popular one would be the public-private key pair.
[09:54.540 --> 09:59.260]  Now, this relies on the fact that certain mathematical tasks are computationally hard.
[09:59.260 --> 10:05.880]  For instance, the factorization of large numbers into prime factors, as used in the RSA algorithm.
[10:07.160 --> 10:13.960]  So, as I said, the RSA algorithm relies on the difficulty of factoring large numbers into prime factors.
[10:13.960 --> 10:20.100]  The largest factored RSA number that I know of so far is 232 decimal digits long.
[10:20.100 --> 10:27.440]  As computers become more powerful, larger prime factors are going to need to be used in order to preserve the security of the algorithm.
[10:27.620 --> 10:38.020]  However, in 1994, Peter Shaw kind of threw a spanner in the works and showed that a quantum computer could factor large numbers in polynomial time.
[10:38.040 --> 10:41.920]  Now, polynomial time algorithms are said to be fast algorithms.
[10:41.920 --> 10:50.680]  On a classical computer, operations such as addition, multiplication, square roots and logarithms can be performed in polynomial time.
[10:50.680 --> 10:56.340]  As you can imagine, this will compromise the security of the RSA algorithm and others that use similar techniques
[10:56.640 --> 11:03.620]  if you could find prime factors on a quantum computer as quickly as you could find logarithms on a classical one.
[11:04.500 --> 11:15.380]  So, with quantum computers threatening many of the cryptographic standards we use today, we need some form of alternative, something resilient to this new threat.
[11:15.400 --> 11:23.840]  Now, alternatives that have been proposed are numerous and the one we're primarily going to be looking at today is quantum cryptography.
[11:23.840 --> 11:28.580]  Quantum cryptography derives its strength from a few weird properties of quantum mechanics.
[11:28.580 --> 11:35.840]  There's the no-cloning theorem, which states that it's impossible to create an identical copy of an arbitrary unknown quantum state.
[11:35.840 --> 11:41.460]  And it's important to stress that it has to be an unknown quantum state. If it's a known quantum state, it can be copied.
[11:41.460 --> 11:46.040]  But there is no physical device capable of copying unknown quantum states.
[11:46.040 --> 11:51.760]  As such, intercepted replay attacks are inherently protected against, as we will see later.
[11:51.760 --> 11:59.340]  We also have quantum superposition, in which two or more quantum states can be summed to create another valid quantum state.
[11:59.340 --> 12:05.420]  That is to say, every quantum state can be thought of as a sum of two or more distinct states.
[12:05.420 --> 12:14.000]  As we have seen, this principle is critical to how quantum computers work and contributes to many of the benefits such systems offer.
[12:15.420 --> 12:22.240]  Finally, we have what is arguably the most famous property of quantum mechanics, and that is quantum entanglement,
[12:22.240 --> 12:29.740]  which is the interaction of quantum systems resulting in the quantum state of each system no longer being independent of one another.
[12:29.740 --> 12:36.780]  So you can't talk about one system without describing the other, or affect one system without also affecting the other.
[12:36.780 --> 12:45.220]  This has massive implications for secure communications and the teleportation of information, with active research taking place in the field.
[12:45.220 --> 12:51.580]  And in fact, I came across, not too long ago, a really good analogy for quantum entanglement.
[12:51.580 --> 12:56.120]  Now like all analogies, it does break down if looked at too closely.
[12:56.120 --> 13:01.030]  But it is really good at getting across the gist of what quantum entanglement is.
[13:02.170 --> 13:10.350]  So, as the world's been in lockdown, and we've all kind of discovered that exercise is a thing, I've got two resistance bands here.
[13:10.350 --> 13:13.830]  I have a red resistance band, and a blue resistance band.
[13:13.830 --> 13:25.030]  Now, if I were to put each resistance band in its own box, and then seal these boxes, and put them under the table,
[13:25.950 --> 13:34.550]  I have a system, and I have the system that comprises of these two sealed boxes, each with a resistance band in it.
[13:34.550 --> 13:41.130]  We no longer know what colour is in what box. I've mixed them around, and I randomly pick one.
[13:41.290 --> 13:47.030]  Now, we can say that the band inside that box is either red or blue.
[13:47.030 --> 13:55.210]  Or we could also say that the band is in a superposition state of being both red and blue.
[13:55.270 --> 13:59.550]  And it will stay that way until we observe it, and force it to pick a colour.
[14:00.210 --> 14:05.630]  So we take one of these boxes, and we give it to someone. Say you, right there.
[14:05.690 --> 14:12.630]  And we ask you to run at the fastest speed you could possibly run. In fact, run faster than that.
[14:12.630 --> 14:19.790]  Run at the speed of light, and just keep running in a straight line. Run right off the surface of the planet, and just keep going into outer space.
[14:19.790 --> 14:23.910]  Just keep going for 30 years. We'll all wait. It's fine.
[14:24.470 --> 14:29.430]  And then 30 years later, I pick up the other box.
[14:30.350 --> 14:35.050]  And I say, I wonder what colour band we've got.
[14:35.990 --> 14:44.470]  Now, in opening this box, I will be describing part of my system, or part of the system.
[14:44.570 --> 14:49.830]  And in doing so, I can't help but describe the other part of the system.
[14:49.970 --> 14:57.450]  And so I open our box, and I see inside that we have the red resistance band.
[14:57.450 --> 15:14.330]  Which means, that without having violated any laws of physics, we know that there is a very exhausted person, 30 light years away from Earth, with a sealed box that inside it has a blue resistance band.
[15:14.330 --> 15:18.770]  By forcing our resistance band to be red, we have forced theirs to be blue.
[15:18.770 --> 15:23.250]  By affecting our part of the system, we have affected their part of the system.
[15:23.250 --> 15:28.030]  And by describing our part of the system, we have described their part of the system.
[15:28.190 --> 15:33.370]  And if you take it on the surface level, that is how entanglement works.
[15:34.170 --> 15:38.930]  So quantum cryptography, it has a lot going for it, but it also has its share of issues.
[15:38.950 --> 15:42.910]  So one of the pros is that it cannot be unknowingly intercepted.
[15:42.910 --> 15:51.830]  We'll see this in more detail later, but due to the properties of the no-cloning theorem and quantum entanglement, it's impossible for information to be unknowingly intercepted.
[15:51.830 --> 15:55.750]  It's also secure irrespective of computing power.
[15:55.750 --> 15:59.810]  The security comes from the underlying physical properties of these devices.
[15:59.810 --> 16:05.090]  It's baked into the universe itself and isn't something that can be cracked with greater computing power.
[16:05.090 --> 16:09.810]  It's also able to secure communications at a physical level.
[16:09.910 --> 16:16.150]  Quantum cryptography can secure the complete end-to-end connection without the need for SSL or a VPN.
[16:16.470 --> 16:21.630]  But as I said, as great as this sounds, it's not as if it does not have its own issues.
[16:21.630 --> 16:24.270]  For example, it's very expensive.
[16:24.270 --> 16:32.390]  Due to this being the cutting edge of cryptography, research and development costs are high, as are the fabrication costs of specialist components.
[16:32.390 --> 16:34.870]  And this all affects the final sale price.
[16:35.530 --> 16:39.830]  Leading on from this, it requires its own independent infrastructure.
[16:39.970 --> 16:47.450]  The requirement for exacting conditions to be met dictates the need for independent infrastructure capable of supporting quantum cryptography.
[16:47.450 --> 16:50.410]  And this also has its own associated costs.
[16:51.230 --> 16:54.750]  Finally, there are practical problems in implementation.
[16:54.830 --> 16:59.550]  As this is very new technology, there are still problems that need to be overcome.
[16:59.550 --> 17:04.430]  Such as fiber-based quantum key distribution can only travel so far.
[17:04.590 --> 17:10.690]  However, a lot of these cons, if not all of them, will be overcome as time goes on.
[17:10.690 --> 17:15.830]  And we've already made significant progress in many of these areas.
[17:15.830 --> 17:24.930]  I talked about the fact that we can now have what are considered hot qubits, which are qubits that run at 1.5 Kelvin.
[17:25.050 --> 17:30.210]  Also, quantum key distribution being limited to only traveling a certain distance.
[17:30.370 --> 17:41.430]  Luca Marini et al., as we will discuss a little bit more later, has put forward a proposed solution which can help extend the range of quantum key distribution.
[17:41.430 --> 17:52.390]  And so these cons are not necessarily indicative of this being an impractical solution to the issues quantum computers pose to cryptography.
[17:52.390 --> 17:55.690]  And there is still much promise within this field.
[17:57.250 --> 18:00.370]  So where are we with quantum cryptography today?
[18:00.370 --> 18:08.770]  Well, we have true random number generators, which are essential for the creation of secure encryption keys and entropy enhancement.
[18:08.770 --> 18:17.010]  Entropy, as I said earlier, can be described as a measure of information or disorder or randomness or uncertainty in a system.
[18:17.090 --> 18:22.130]  And so the introduction of truly random number generators are of obvious benefit here.
[18:22.190 --> 18:26.670]  In fact, Shannon had a great anecdote about coming up with the term entropy.
[18:26.750 --> 18:34.310]  He said, my greatest concern was what to call it. I thought of calling it information, but that word was overly used.
[18:34.310 --> 18:36.770]  So I decided to call it uncertainty.
[18:36.770 --> 18:40.490]  When I discussed with John von Neumann, he had a better idea.
[18:40.570 --> 18:44.930]  Von Neumann told me, you should call it entropy for two reasons.
[18:44.990 --> 18:51.210]  In the first place, your uncertainty function has been used in statistical mechanics under that name.
[18:51.210 --> 18:52.910]  So it already has a name.
[18:52.930 --> 18:58.230]  And in the second place, and more importantly, no one really knows what entropy really is.
[18:58.230 --> 19:00.950]  So in a debate, you'll always have the advantage.
[19:01.790 --> 19:07.210]  We also have quantum key distribution devices that are commercially available.
[19:07.510 --> 19:11.210]  These allow for secure key exchange, which can be used for encryption.
[19:11.210 --> 19:20.190]  Devices are made by ID Quantica with their Cerberus 3 system, Magic Technology with QPN, and Quintessence Labs with QProtect.
[19:20.210 --> 19:26.690]  Sales of quantum key distribution systems are currently led by high-end financial and government communication systems.
[19:26.690 --> 19:31.730]  Last year, the financial segment dominated the market with a share of 38%,
[19:31.730 --> 19:39.630]  followed by government and defense, which accounted for around 31% and 27% of the market, respectfully.
[19:39.630 --> 19:47.730]  Plans for new quantum key distribution networks exist in the US with Battelle, Japan with NICT, and China with Quantum Ctech.
[19:47.730 --> 19:55.230]  The global quantum key distribution market size is estimated to grow to about 4.8 billion by 2023,
[19:55.230 --> 19:58.170]  coming from 1.7 billion in 2018.
[19:58.610 --> 20:05.170]  So there is massive amounts of investment that's taking place in this area, and so there are certainly many people who believe in this technology.
[20:05.890 --> 20:10.670]  So I've kind of alluded to it already, but what is QKD?
[20:10.670 --> 20:18.890]  Well, QKD, or quantum key distribution, is perhaps the best-known and certainly most well-developed branch of quantum cryptography.
[20:18.890 --> 20:25.010]  It has the goal of providing an information-theoretically secure solution to the problem of key exchange.
[20:25.010 --> 20:32.670]  Utilizing QKD protocols, two parties should be able to establish a key that can be used for secure communication,
[20:32.670 --> 20:36.290]  without the key being unknowingly intercepted by a third party.
[20:36.290 --> 20:41.050]  This should remain the case even if all communications were over public channels.
[20:41.150 --> 20:49.330]  Whilst unconditional security can be proven mathematically, that is to say there are no constraints placed on the abilities of the eavesdropper,
[20:49.330 --> 20:53.410]  and this is not something that's possible with classical distribution.
[20:53.410 --> 20:56.430]  There are some assumptions that do need to be made.
[20:56.430 --> 21:02.130]  One being that the universe hasn't had a change of heart, and the laws of quantum mechanics still apply.
[21:02.130 --> 21:08.350]  And another being that the two genuine parties can both successfully authenticate each other.
[21:08.350 --> 21:14.550]  If these two assumptions stand, however, we should have a seemingly secure protocol.
[21:14.550 --> 21:17.850]  However, issues do exist within implementation.
[21:17.950 --> 21:23.030]  Key generation rate, for example, and transmission distance are both areas of concern.
[21:23.030 --> 21:31.610]  However, as I alluded to earlier, in 2018 Luca Marini et al. put forward a way to possibly overcome the rate distance limit.
[21:31.610 --> 21:41.150]  The proposed twin-field QKD scheme suggests that optimal key rates could be achieved on 550km of standard optical fibre,
[21:41.150 --> 21:43.990]  which are already used in communications today.
[21:44.530 --> 21:51.210]  And whilst we're about to see quantum key distribution happen on far bigger scales than 550km,
[21:51.210 --> 21:54.570]  that is a non-trivial distance, I'm sure you'll agree.
[21:55.210 --> 22:01.090]  And whilst a lot of work within the field of quantum cryptography has been focused on the development of QKD,
[22:01.090 --> 22:04.270]  this has not been the only branch where work is taking place.
[22:04.370 --> 22:10.990]  Other areas that address issues with QKD, such as the inefficiency of quantum key distribution for large networks,
[22:10.990 --> 22:15.370]  utilising symmetric cryptosystems, and this is due to key management overheads,
[22:15.370 --> 22:22.330]  or areas related to other cryptographic tasks and functions are also being actively researched.
[22:23.350 --> 22:27.850]  OK, so now that we've had a quick primer in QKD, let's see it in action.
[22:28.590 --> 22:36.090]  In a paper submitted in early 2018, a joint Austrian-Chinese team were able to perform quantum key distribution
[22:36.090 --> 22:40.550]  between a low-Earth orbit satellite and multiple ground stations.
[22:40.550 --> 22:46.710]  The satellite was called MESIUS, and the protocol involved three steps.
[22:46.710 --> 22:53.690]  In the first, the satellite establishes a secure key with the first location, say, Jinglong in China.
[22:53.690 --> 22:56.050]  And we'll call this key MX.
[22:56.050 --> 23:01.810]  The second step involves repeating this procedure with another location, say, Graz in Austria.
[23:02.070 --> 23:05.950]  This creates a second secure key, and we'll call that one MG.
[23:05.950 --> 23:09.950]  So we have MX with Jinglong, and MG with Graz.
[23:09.950 --> 23:18.030]  At this point, MESIUS has established secure keys with both locations, and is ready to act as a trusted relay between them both.
[23:18.030 --> 23:23.770]  The third and final step is for MESIUS to receive a command from one of the ground stations,
[23:23.770 --> 23:33.230]  prompting the satellite to perform a bitwise exclusive OR operation between MX and MG, creating a new key MXMG.
[23:33.890 --> 23:39.450]  This can then be sent through classical communications channels to Jinglong or Graz,
[23:39.450 --> 23:47.410]  where it can be decoded with another exclusive bitwise OR operation to recover the original key.
[23:48.330 --> 23:58.890]  So if you wanted the MG key for Graz and you were Jinglong, MESIUS would give you the MXMG key.
[23:58.890 --> 24:05.230]  You'd perform a bitwise OR operation with your MX key, and you'll recover Graz's MG key.
[24:05.230 --> 24:17.130]  In other words, MESIUS uses MX to encrypt MG, and Jinglong decrypts the ciphertext to recover MG, which was shared with Graz.
[24:17.130 --> 24:24.970]  So the key is known to the two communicating locations and the satellite, but not to any external fourth party.
[24:24.970 --> 24:39.130]  This way, the secret key, constructed between locations in China and Europe, separated by 7600 km, is secured using the properties of quantum mechanics.
[24:39.130 --> 24:47.110]  A picture of MESIUS, which was about 5.3 kilobytes, was transferred from Beijing to Vienna.
[24:47.110 --> 24:52.910]  And a picture of Schrodinger, which was around 4.9 kilobytes, from Vienna to Beijing.
[24:52.910 --> 24:57.950]  This was done using a secure quantum key for one-time pad encoding.
[24:58.670 --> 25:08.710]  A videoconference was also held between China and Austria, using the satellite-based QKT network, also in combination with fibre-based quantum networks.
[25:08.710 --> 25:20.150]  And this is a promising start in finding an efficient solution for an ultra-long-distance global quantum network, which could lay the groundwork for a potential future quantum internet.
[25:20.150 --> 25:26.530]  But what exactly was the QKT protocol that was used by MESIUS to establish the quantum key?
[25:26.630 --> 25:33.870]  Well, it's one of the most popular QKT protocols, and is the basis for many commercial systems that are being sold today.
[25:34.050 --> 25:44.210]  It's called the BB84 protocol, and it has the goal of establishing a key between Alice and Bob, such that an eavesdropper Eve cannot learn it by listening to their conversation.
[25:44.210 --> 25:50.830]  Once this key has been established, it can then be used to communicate securely, using the one-time pad algorithm, for example.
[25:50.930 --> 26:02.870]  The basic idea is that Alice and Bob use quantum systems to establish the key, and if Eve tries to learn the state of the system, this will inevitably disturb the state, which can be detected by Alice and Bob.
[26:03.190 --> 26:09.170]  Eve can sabotage the protocol, sure, in which case Alice and Bob won't be able to establish the key.
[26:09.170 --> 26:17.770]  However, the goal is to make sure that if Alice and Bob agree that the protocol was successful, then the chance that Eve knows the key would be very small.
[26:17.970 --> 26:27.270]  And as a point of interest, it's called BB84, as it's a key distribution system proposed by Bennett and Brassard in 1984, and has nothing to do with spherical droids.
[26:28.110 --> 26:36.450]  So what are the steps of the protocol? Well, to begin with, Alice prepares a qubit randomly in one of four states and sends it to Bob.
[26:36.450 --> 26:44.330]  Bob measures the received qubit in one of two bases, randomly, so with a probability of half for each basis.
[26:44.330 --> 26:49.990]  Alice and Bob then both reveal the basis in which the qubit was respectively prepared and measured.
[26:49.990 --> 27:00.530]  They do this via a classical channel, but it's very important that they do not share the state or respective outcome of their measurement, merely the basis they chose for the measurement.
[27:00.530 --> 27:06.710]  If the basis coincide, they add the bit to their list of key bits. Otherwise, they disregard that qubit.
[27:06.710 --> 27:15.730]  In order to make sure Eve hasn't tampered, they pick a proportion, say half, of their agreed bits and compare them using a classical channel.
[27:15.730 --> 27:23.850]  They should find no significant differences. If they do find differences that are above the error rate of the channel, then they know that they have an eavesdropper,
[27:23.850 --> 27:32.170]  and they can choose to either restart the protocol or convince themselves that whatever they were trying to share was not that important and they should just scrap it and go home.
[27:33.150 --> 27:40.370]  But how secure is the BB84 protocol? Well, there are several mathematical proofs attesting to the security of the protocol.
[27:40.510 --> 27:45.070]  One such proof is provided in the further reading slide for anyone interested in the maths.
[27:45.210 --> 27:48.730]  However, today we'll go through the intuition behind the proof.
[27:48.730 --> 27:56.110]  The central principle is that in order for Eve to learn the key, the qubits sent by Alice must be intercepted and measured.
[27:56.110 --> 28:04.650]  If Eve knows the basis to which the prepared state belongs, she could measure the state in that basis and learn it without altering it.
[28:04.730 --> 28:15.310]  However, Eve doesn't know which basis has been used, and as such, she can't perform the above measurement with absolute certainty she's not going to alter the state of the qubit.
[28:15.310 --> 28:18.230]  This leaves two possible alternatives.
[28:19.550 --> 28:28.890]  So Eve's first option is that she can choose one of the two bases randomly, measure in that basis and then pass the system on to Bob.
[28:28.890 --> 28:38.450]  If Eve chooses the same basis that Alice used to prepare the state, then she obtains the result she's looking for and can pass the state on to Bob undisturbed.
[28:38.450 --> 28:41.150]  Happy days, her presence is not known.
[28:41.150 --> 28:50.330]  However, on the other hand, if Eve measures in the basis that Alice didn't encode in, then the state she sends to Bob will have been altered.
[28:50.370 --> 28:56.610]  And when Bob makes his own measurement, there is only a 1 in 4 chance that he will obtain Alice's prepared state.
[28:56.610 --> 29:04.090]  So those aren't great odds, and her chance of being undetected further diminishes the more bits are used in the key generation process.
[29:04.090 --> 29:10.110]  As every time Alice sends a bit, Eve has to roll that dice when measuring the state.
[29:10.790 --> 29:14.530]  So that doesn't sound particularly great. What's Eve's second option?
[29:14.910 --> 29:25.450]  Well, Eve's second option is that she can keep the system sent by Alice and measure it only after classical communication declares which basis were used for encoding.
[29:25.450 --> 29:28.070]  But she needs to send Bob something, right?
[29:28.070 --> 29:34.050]  So she has to essentially make up a bunch of her own data and send it on to Bob.
[29:34.050 --> 29:42.210]  And just hope, through sheer chance, that her made-up data matches Alice's signal perfectly.
[29:42.210 --> 29:48.490]  She can't clone Alice's signal because it's made up of unknown qubit states, quantum states even.
[29:48.490 --> 29:54.710]  And so there is no physical device capable of replicating unknown quantum states.
[29:54.710 --> 30:10.990]  She sends her own signal, and then she waits and prays that when Bob makes his measurements, they do not give a different result than Alice's original signal would have given.
[30:12.450 --> 30:19.750]  However, no matter what state she chooses, there is a significant chance that Bob's measurements will differ.
[30:19.750 --> 30:28.770]  And so using the first option, there's a very small likelihood of successful eavesdropping, which further diminishes as the number of qubits used in the protocol increases.
[30:28.790 --> 30:37.190]  And with the second option, as she's just making up information and sending it along, hoping it matches Alice's, there's no real chance.
[30:37.190 --> 30:40.310]  And she's scuppered there because of the no-cloning theorem.
[30:41.170 --> 30:50.130]  In general, Eve may employ more sophisticated attacks in which several successive qubits are measured, which makes the proof of the security more complicated.
[30:50.130 --> 30:57.110]  However, the heart of the proof is the fact that quantum information cannot be copied, as dictated by the no-cloning theorem.
[30:57.330 --> 31:07.050]  Now, quantum cryptography is fast approaching the stage of technological applications, with several companies in the process of producing cryptographic systems based on the BB84 protocol.
[31:07.050 --> 31:13.190]  In fact, as we've discussed earlier, there are QKD systems already available for sale.
[31:13.190 --> 31:17.320]  You can buy a pair of ID Quantica's QKD Cerberus III boxes.
[31:17.650 --> 31:27.930]  And generally, in commercial systems, the four states of the qubits that Alice would send, or encode in, are implemented with four polarizations of a single photon state.
[31:28.010 --> 31:36.730]  Companies that manufacture quantum cryptography systems include Toshiba, ID Quantica, SecureNet, Quintessence Labs, and Magic Technologies.
[31:37.410 --> 31:45.690]  So now that we know a little bit about BB84, how popular it is, testaments to its security, let's break it.
[31:45.770 --> 31:52.150]  What I want you to take away from this talk is a paradigm on how to approach pen testing of quantum systems.
[31:52.290 --> 31:58.670]  Vulnerabilities can be broken down into two broad classes. We have inherent flaws, and we have implementation flaws.
[31:58.750 --> 32:04.550]  Now, inherent flaws exist where an assumption made during the creation of a protocol doesn't hold to be true.
[32:04.550 --> 32:09.990]  A new mathematical technique or approach, for instance, may break the security of the protocol.
[32:09.990 --> 32:14.470]  An example of a protocol with inherent flaws would be SSL version 3.
[32:14.490 --> 32:20.890]  Implementation flaws, on the other hand, exist because real-world physical systems aren't perfect.
[32:21.090 --> 32:25.330]  And neither is our adaptation of theoretical principles to physical mediums.
[32:25.330 --> 32:32.030]  Such imperfections can be exploited to compromise an otherwise secure protocol, as we're about to see.
[32:32.030 --> 32:36.220]  So our first attack is called the indirect copying attack.
[32:36.550 --> 32:41.670]  And in it, Eve constructs a list of all possible states Alice can use to encode her qubits.
[32:41.670 --> 32:51.350]  Now, we said that in commercial devices, Alice's qubits are usually encoded photons.
[32:51.410 --> 32:56.410]  And these are done through using different polarizations of a single photon.
[32:56.410 --> 33:03.130]  These different polarizations are horizontal, vertical, or plus and minus 45 degrees.
[33:04.010 --> 33:12.250]  So Eve lists these potential states, and then she intercepts Alice's qubits as they're transmitted to Bob.
[33:12.250 --> 33:15.230]  She measures them to find each qubit's value.
[33:15.230 --> 33:21.390]  And having found this information, she has to discard the intercepted qubits, as she's altered them, at least some of them,
[33:21.390 --> 33:28.130]  as she would have guessed and measured in the wrong basis, compared to what Alice originally prepared the qubits in.
[33:28.850 --> 33:35.710]  However, now that she has got her measurements, and she has a list of Alice's original states,
[33:35.710 --> 33:40.510]  she can work backwards and recreate Alice's original signal.
[33:40.510 --> 33:45.570]  She's not violating the no-cloning theorem, as these are no longer unknown quantum states to her,
[33:45.570 --> 33:53.370]  and so she can use the information that she gained in measuring Alice's qubits to recreate that signal and send it on to Bob.
[33:53.370 --> 34:01.850]  It's important to note that this attack only works in protocols like BB84, where the quantum state is encoded in transit.
[34:01.870 --> 34:07.310]  Alongside this, Eve has to know all possible states Alice can use to encode her qubits,
[34:07.310 --> 34:14.250]  and try to keep her time interval between successive qubits as close as possible to Alice's original sequence,
[34:14.250 --> 34:22.130]  alongside keeping the delay between Alice sending and Bob receiving as small as possible, so that her presence isn't felt.
[34:22.870 --> 34:30.170]  If she manages to do this, she will have Alice's original signal, which she then passes on to Bob,
[34:30.170 --> 34:38.330]  and then when Alice and Bob communicate and create their key, Eve can listen in and create her key right alongside them.
[34:38.430 --> 34:46.110]  Another attack that we could employ leverages the hardware limitations of current devices,
[34:46.110 --> 34:53.330]  and that limitation is that perfect single-photon sources are incredibly difficult to create,
[34:53.330 --> 34:58.670]  and so we can use the photon number splitting attack, or PNS attack for short.
[34:58.670 --> 35:07.410]  Because single-photon sources are difficult to create, weak coherent pulses are generally used in actual cryptographic devices.
[35:07.750 --> 35:17.070]  A weak coherent pulse is a photon pulse that has a low mean photon number, and that is to say a low number of photons in that pulse on average.
[35:17.070 --> 35:23.370]  It could be achieved by passing short, low-powered laser pulses through an attenuator.
[35:23.370 --> 35:29.330]  The PNS attack takes advantage of a limitation present in weak coherent pulse generators,
[35:29.330 --> 35:32.990]  which is that sometimes multiple photon pulses are emitted.
[35:34.290 --> 35:41.430]  If that's the case, Eve can intercept a portion of this multiple photon pulse and send the remainder on to Bob.
[35:42.110 --> 35:49.510]  Eve then all she has to do is wait for Alice and Bob to announce their respective transmission and detection bases,
[35:49.510 --> 35:53.270]  and measure her captured photons right alongside Alice and Bob.
[35:53.270 --> 35:57.030]  Again, as they build up their key, she builds up her key alongside them.
[35:57.030 --> 36:01.770]  Sounds great in theory, however the PNS attack is actually quite complex to implement.
[36:01.890 --> 36:07.130]  First of all, the probability that a multiple photon beam is emitted is around 5%,
[36:07.130 --> 36:14.770]  and as such, Eve has to check whether the emitted pulse contains multiple photons or not, which demands proper hardware and algorithms.
[36:14.770 --> 36:18.650]  Given this though, it would be very hard for Bob to detect Eve's presence,
[36:18.650 --> 36:22.850]  especially if she is able to hide within the error rate of the channel,
[36:22.850 --> 36:28.010]  and suppress single photon pulses, only allowing multiple photon pulses through,
[36:28.010 --> 36:31.670]  making it look like it's absorption within the channel, for example,
[36:31.670 --> 36:39.090]  and Bob only seeing those multiple photon pulses, which Eve knows she has a portion of those photons.
[36:39.090 --> 36:43.510]  However, this can again be protected against using decoy states,
[36:43.510 --> 36:47.770]  as was the case with the mesias relay, which used decoy states.
[36:47.770 --> 36:52.910]  Here, multiple intensity levels are used at the transmitter's source,
[36:52.910 --> 36:59.470]  so that's to say that the qubits that are transmitted by Alice are done so using randomly chosen intensity levels.
[36:59.470 --> 37:02.830]  One signal state, and several decoy states.
[37:02.830 --> 37:07.270]  This results in varying photon number statistics throughout the channel.
[37:07.270 --> 37:10.090]  At the end of the transmission, Alice announces publicly
[37:10.090 --> 37:14.890]  which intensity level was used for the transmission of each qubit.
[37:14.890 --> 37:21.690]  A successful PNS attack requires maintaining that bit error rate at the receiver's or Bob's end,
[37:21.690 --> 37:24.010]  so that Eve can hide within that.
[37:24.010 --> 37:28.010]  However, this cannot be accomplished with multiple photon number statistics.
[37:28.010 --> 37:32.210]  By monitoring the bit error rate associated with each intensity level,
[37:32.210 --> 37:36.490]  the two legitimate parties will be able to detect a PNS attack.
[37:36.490 --> 37:42.990]  And finally, we get to my favourite of the attacks, and this is the light injection attack.
[37:42.990 --> 37:47.110]  So for this one, let's remove a bit of abstraction from the BB84 protocol,
[37:47.110 --> 37:49.990]  and think about Alice and Bob's setup.
[37:50.110 --> 37:55.290]  So for Alice, we need a process for encoding qubits, some sort of photon generator.
[37:55.390 --> 37:56.310]  A laser.
[37:56.530 --> 37:59.870]  And for Bob, we need some sort of observation machine.
[37:59.950 --> 38:01.750]  Something to carry out measurements.
[38:02.030 --> 38:03.390]  A photon detector.
[38:03.390 --> 38:09.170]  Eve can exploit hardware weaknesses in both these components to compromise BB84.
[38:09.610 --> 38:13.350]  Eve can execute this attack against Alice or Bob.
[38:13.350 --> 38:17.110]  Let's take the case of Alice to begin with, and then we can circle back to Bob.
[38:17.150 --> 38:22.430]  So Eve sends a light pulse at one of the devices, in this case Alice's photon generator,
[38:22.430 --> 38:24.630]  and registers the reflected pulse.
[38:24.630 --> 38:30.370]  Because of the design of QKD hardware, the reflected pulse will indicate which process,
[38:30.370 --> 38:34.770]  or photon generator, will be used by Alice to generate the next qubit.
[38:34.830 --> 38:39.210]  Eve knows which process Alice is about to use to encode her qubit.
[38:39.210 --> 38:43.390]  So she can perform an intercept and replay attack with 100% certainty
[38:43.390 --> 38:47.610]  that she'll be using the correct observer for each incoming qubit.
[38:47.690 --> 38:53.090]  She knows that her measurements will not affect the state of the qubit,
[38:53.090 --> 38:57.890]  since she'll be measuring in the exact same basis Alice used to encode the qubit.
[38:57.890 --> 39:03.610]  She can then pass the state on to Bob undisturbed.
[39:03.610 --> 39:07.730]  She can capture the entire key as Alice sends it, and send the qubits on to Bob,
[39:07.730 --> 39:10.970]  without Alice or Bob being able to detect her presence.
[39:11.410 --> 39:14.850]  Using the information communicated over the classical channel,
[39:14.850 --> 39:17.950]  Eve will then be able to create the same key as Alice and Bob.
[39:17.950 --> 39:22.150]  Now if she was to target Bob with this attack, it would be a very similar situation.
[39:22.150 --> 39:27.850]  She sends a light pulse at Bob's photon detector.
[39:27.850 --> 39:34.270]  She sees exactly what basis Bob is about to use to measure Alice's qubit.
[39:34.270 --> 39:40.330]  She measures in the exact same basis that Bob would use to measure the incoming qubit.
[39:40.350 --> 39:44.550]  When Eve is wrong, then Bob is also wrong.
[39:44.550 --> 39:49.930]  Sure, Eve has messed up the state of that qubit, but Bob was about to mess it up anyway,
[39:49.930 --> 39:54.890]  and Alice is just going to tell him to get rid of that qubit, since he measured in the wrong basis.
[39:54.890 --> 40:00.630]  But when Bob measures in the correct basis, Eve also measures in the correct basis.
[40:00.630 --> 40:05.130]  She doesn't mess up the state of the qubit, Bob adds it to the qubit,
[40:05.130 --> 40:13.890]  and again, when Alice and Bob create their final key, Eve can create hers right alongside them.
[40:15.850 --> 40:21.150]  All these attacks are understandably problematic for the BB84 protocol.
[40:21.210 --> 40:23.790]  So what can be done to protect the protocol?
[40:23.890 --> 40:31.410]  Well, safety measures can include passive measures, which are inherent properties of the infrastructure that make them resistant to such attacks.
[40:31.410 --> 40:38.370]  If we take the example of the light injection attack, a passive measure for Alice could be to add an attenuator at the output of her setup.
[40:38.370 --> 40:44.450]  This would mean Eve would need a more powerful laser to enumerate the encoding basis Alice is about to use.
[40:44.450 --> 40:51.690]  If Alice then uses an optical isolator and bandpass filter so that she can get her photons out,
[40:51.690 --> 40:57.490]  but Eve would have great difficulty getting her photons in, then Eve's power requirements become untenable.
[40:57.490 --> 41:04.950]  We do have to state that if we're using an attenuator, we can't deal with single photon states anymore, and we'll have to use weak coherent pulses.
[41:04.950 --> 41:11.970]  But as we already mentioned, most commercial devices tend to use weak coherent pulses anyway, so this isn't a massive issue.
[41:12.150 --> 41:17.610]  Active measures are tools that are designed to mitigate against certain attacks.
[41:17.610 --> 41:26.970]  So an active measure may involve a detector to warn Alice and Bob should average and or peak power of an incoming pulse rise above a specified level.
[41:26.970 --> 41:35.270]  If this happens, then they know that Eve is trying to enumerate either Bob's detection basis or Alice's encoding basis.
[41:35.350 --> 41:45.170]  Now we can also have a combination of both. So we can have active for Alice, where she has her attenuator, optical isolator, bandpass filter introduced to her setup,
[41:45.170 --> 41:53.650]  and an alarm system, a warning, a detector, for Bob should incoming light pulses rise above a certain threshold.
[41:55.170 --> 42:04.330]  So those are some potential attacks and defense measures that can be used to harden quantum cryptographic protocols.
[42:04.330 --> 42:11.290]  However, quantum cryptography is not the only source of quantum-resilient cryptography being researched today.
[42:11.290 --> 42:17.290]  We also have post-quantum cryptography, and that is an incredibly popular flavor,
[42:17.290 --> 42:27.870]  and one we'll give a brief overview to now, as no discussion of quantum-resilient cryptography would really be complete without at least touching upon post-quantum cryptography.
[42:28.410 --> 42:37.290]  So, as we've stated, the problem with many algorithms in use today is that their security is based on a class of mathematically difficult problems,
[42:37.290 --> 42:41.030]  all of which can be solved on a sufficiently powerful quantum computer.
[42:41.030 --> 42:47.990]  Even though current, publicly known quantum computers lack the processing power to be cryptographically relevant,
[42:47.990 --> 42:54.470]  many cryptographers are designing new algorithms to prepare for when quantum computers become powerful enough to be a threat.
[42:54.470 --> 42:59.770]  There are currently four main flavors of public-key post-quantum cryptosystems.
[43:00.510 --> 43:09.950]  Firstly, we have lattice-based cryptosystems. This is the most well-understood and widely studied family of hard math problems being researched for post-quantum cryptography.
[43:09.950 --> 43:18.250]  It is perhaps the most popular flavor due to its historic mathematical interest and the versatility of cryptographic schemes possible,
[43:18.250 --> 43:25.510]  allowing for the replacement of essentially all endangered protocols, but also the introduction of entirely new classes of cryptographic tools,
[43:25.510 --> 43:29.270]  not available when using factoring or other hard math problems.
[43:29.550 --> 43:38.750]  Second, we have code-based cryptosystems, which is another popular flavor that includes cryptosystems which rely on error-correcting codes, such as the Michaelis algorithm.
[43:38.750 --> 43:45.290]  The original Michaelis signature, using random Goppa codes, has withstood scrutiny for over 30 years.
[43:45.290 --> 43:51.510]  However, many variants which aim to structure the code more so as to minimize key size, have been shown to be insecure.
[43:51.950 --> 43:57.690]  Third, we have hash-based cryptosystems. Hash-based digital signatures, which were invented in the 70s,
[43:57.690 --> 44:04.170]  fell out of vogue as there is a limit to the number of signatures that can be signed using the corresponding set of private keys.
[44:04.250 --> 44:07.970]  Post-quantum cryptography, however, has renewed interest in the field.
[44:07.970 --> 44:12.890]  Finally, we have multivariate public-key cryptosystems.
[44:12.890 --> 44:19.090]  This includes encryption schemes based on the difficulty of solving systems of multivariate equations.
[44:19.090 --> 44:23.930]  Whilst attempts to build secure multivariate equation encryption protocols have failed,
[44:23.930 --> 44:29.210]  such schemes could provide a basis for the construction of a quantum-secure digital signature.
[44:29.210 --> 44:32.730]  I also quickly wanted to touch upon symmetric key encryption.
[44:32.730 --> 44:38.630]  Given that suitably large keys are used, systems like AES are already quantum-resistant.
[44:38.630 --> 44:43.830]  In addition to this, key management protocols which employ symmetric keys, like Kerberos,
[44:43.830 --> 44:47.710]  are inherently secure against attacks from a quantum computer.
[44:47.710 --> 44:55.450]  Some researchers suggest expanded use of Kerberos-like key management as a way to get post-quantum cryptography today.
[44:55.650 --> 45:00.550]  So with the security of post-quantum cryptography schemes still being evaluated,
[45:00.550 --> 45:03.690]  how do we approach adoption? And why the rush?
[45:03.690 --> 45:07.310]  Why not wait until we are wholly confident in the schemes proposed?
[45:07.890 --> 45:12.250]  Well, the Mosca inequality states that if the time data is to be preserved for,
[45:12.250 --> 45:17.810]  in addition to the time it will take our security systems to migrate from classical to post-quantum,
[45:17.810 --> 45:24.250]  is more than the time it will take for quantum processors to become capable of compromising existing encryption,
[45:24.250 --> 45:25.910]  then we have a problem.
[45:25.910 --> 45:28.590]  Some believe we have already reached this point.
[45:28.610 --> 45:35.850]  But at the very least, the pressure to begin being able to implement some form of post-quantum cryptography is very real.
[45:36.010 --> 45:37.510]  So how are we doing this?
[45:37.510 --> 45:43.270]  In the first instance, it would make sense to use a hybrid of classical and post-quantum schemes.
[45:43.270 --> 45:47.930]  This affords us the security of rigorously tested schemes that are classical,
[45:47.930 --> 45:52.970]  alongside a safety net against the threat that quantum computers pose.
[45:53.910 --> 45:58.210]  As long as one of the two schemes are secure, the data is protected.
[45:58.590 --> 46:04.050]  Should there be a flaw in the post-quantum scheme, the classical scheme may buy us time to address it.
[46:04.050 --> 46:10.070]  And if quantum computers render classical schemes obsolete, we have the protection of the post-quantum scheme.
[46:10.070 --> 46:13.930]  An advantage of the hybrid approach is the backwards compatibility,
[46:13.930 --> 46:17.550]  whereby you can fall back to better supported classical algorithms,
[46:17.550 --> 46:22.350]  should you find support for your shiny new post-quantum cryptography algorithms lacking.
[46:22.350 --> 46:27.110]  Other things to bear in mind when designing and implementing hybrid schemes,
[46:27.110 --> 46:31.370]  in addition to backwards compatibility, is performance,
[46:31.370 --> 46:38.390]  with computation and data consumption overheads alongside minimizing impact to latency and data flows.
[46:38.910 --> 46:45.630]  Much like quantum cryptography, post-quantum cryptography has its associated pros and cons.
[46:45.630 --> 46:52.850]  So a massive pro is the cost. Due to decreased R&D expenses relative to quantum cryptography,
[46:52.850 --> 46:56.070]  in addition to it being far less resource intensive,
[46:56.070 --> 47:01.230]  the cost of post-quantum cryptography is significantly lower than its quantum counterpart.
[47:01.850 --> 47:05.090]  Alongside this, it works on current infrastructure.
[47:05.090 --> 47:12.570]  This feeds into the lower cost as expensive and specialized equipment is not required in order to facilitate post-quantum cryptography.
[47:12.570 --> 47:17.690]  This form of cryptography should be capable of running on current classical computers,
[47:17.690 --> 47:21.450]  and as such may have a larger scope of possible applications.
[47:22.170 --> 47:27.470]  And due in no small part to the prior two reasons, this field is massively popular,
[47:27.470 --> 47:32.950]  with tons of active research taking place and many supporters, including the NCSC.
[47:34.070 --> 47:39.150]  However, it's not all sunshine and roses. Due to this being such a young field,
[47:39.150 --> 47:45.410]  essentially being born as a response to the increasing threat quantum computers continue to place on current cryptography,
[47:45.410 --> 47:49.550]  there may be many flaws and inherent weaknesses that are yet to be uncovered.
[47:49.550 --> 47:53.610]  Simply due to the field's immaturity, any such issue, when discovered,
[47:53.610 --> 47:59.630]  would immediately threaten the confidentiality of data protected by the relevant encryption.
[48:00.310 --> 48:07.990]  Another particular challenge of post-quantum cryptography is the implementation of quantum-safe algorithms into existing systems.
[48:07.990 --> 48:13.770]  I'm sure many of us have come across clients who are forced to run outdated and vulnerable cryptography
[48:13.770 --> 48:18.730]  due to legacy systems which don't support modern TLS implementations.
[48:18.730 --> 48:25.450]  This issue will only be made worse by the introduction of post-quantum cryptography unless these issues are overcome.
[48:27.550 --> 48:36.170]  Finally, we have key size. There are often trade-offs related to key size and computational efficiency alongside ciphertexts or signature size.
[48:36.170 --> 48:42.430]  As such, care must be taken when choosing which post-quantum cryptographic algorithms to employ,
[48:42.430 --> 48:47.630]  weighing, for example, the effort required to send large public keys over the internet.
[48:48.110 --> 48:52.630]  So when it comes to quantum cryptography, why are we talking about it now?
[48:52.630 --> 48:55.950]  Why is it relevant to have this conversation today?
[48:55.990 --> 49:01.330]  Well, no one is sure when a cryptographically relevant quantum computer will be available.
[49:01.350 --> 49:05.850]  Depending on who you ask, estimates range from a few years to never.
[49:05.850 --> 49:09.850]  But the general consensus is that we should plan for around a decade.
[49:10.110 --> 49:19.430]  As such, a worst-case scenario can be put forward of the complete failure of a massive proportion of cryptographic systems within 10 years.
[49:19.430 --> 49:27.990]  We should put in place a strategy early enough that will allow for quantum resilience in time to protect sensitive data for the full term of its security life.
[49:27.990 --> 49:36.430]  The strategies we put in place need testing and assurance, so that in an attempt to address vulnerability issues, we don't end up introducing more.
[49:36.470 --> 49:45.890]  For some data, it can be argued that it's already too late. Harvesting attacks could already be intercepting data for decryption when quantum computers mature.
[49:46.810 --> 49:51.670]  So this all sounds great, and you've decided to build your own quantum cryptography lab.
[49:51.670 --> 50:00.610]  Now there are two ways to go about this. One is building a physical system to test particular protocols in implementation, and the other is through virtualization.
[50:00.750 --> 50:06.710]  With a physical apparatus, you'd be forgiven for thinking building one would require exorbitant sums of money.
[50:06.710 --> 50:21.950]  However, essentially, all you need to model, say, the BB84 protocol would be a source, some kind of laser most likely, a photon detector, some polarization filters and beam splitters, and then some electronics to control the equipment and register output.
[50:21.950 --> 50:30.710]  There are kits available which contain all the necessary components to create an analogous setup for QKT protocols, and these cost around two and a half thousand pounds.
[50:30.710 --> 50:34.610]  So not the millions and millions you'd be forgiven for thinking it would cost.
[50:34.610 --> 50:42.190]  However, with virtualization, we can model the protocols and components. We never need to have physical devices in front of us.
[50:42.190 --> 50:54.290]  We can leverage the quantum cloud, which allows for the exploration of quantum applications via systems and simulators to model and test QKT protocols using real world quantum systems.
[50:54.290 --> 51:01.430]  However, please stick to hacking the protocols and not the platform itself. Don't want you getting in trouble.
[51:02.110 --> 51:12.630]  We can also use software such as MATLAB or Visual Basic to model all of our components and code the logic of these protocols, and thus create an inexpensive virtual lab.
[51:12.630 --> 51:20.350]  There is quite a lot of material available to help in such endeavors, and there are several academic papers that take this approach.
[51:20.350 --> 51:38.130]  My personal recommendation would be to start with a virtual lab, and once you've identified potential vulnerabilities, then build an analogous physical model to determine how best to exploit the issues identified, and also determine whether they constitute legitimate vulnerabilities, and if so, under what conditions.
[51:39.050 --> 51:47.930]  So in conclusion, there is no better physical medium for storing and processing information than quantum systems, according to quantum information theory.
[51:47.930 --> 51:56.310]  You are essentially working with the fundamental building blocks of the universe, and are as close to the metal as you can possibly be, to borrow a programming analogy.
[51:56.590 --> 52:07.510]  With quantum cryptography, you can secure communication on the physical level. We know there are many pros, but also several cons and physical hurdles that are yet to be overcome.
[52:07.510 --> 52:23.690]  However, commercial systems relying on quantum principles are already beginning to emerge. We've talked about IBM's Q-System 1, which is the first commercial quantum computer available, and that there is such a thing as the quantum cloud, allowing quantum computing to be accessed by the masses.
[52:24.190 --> 52:29.670]  In addition to this, commercially available quantum key distribution systems are already with us.
[52:30.110 --> 52:35.930]  The landscape of cryptography is changing under our feet, and it's up to us to adapt to it.
[52:35.930 --> 52:45.870]  With the introduction of new protocols, some completely secure in theory, there still exists many pen testing applications in the physical implementations of such systems.
[52:45.870 --> 52:57.710]  If you can't find an inherent flaw, look for an implementation flaw. What components were used in the construction of this system? What are their technical limitations? How can these limitations be abused and protected against?
[52:57.710 --> 53:07.110]  Technical details for many components are publicly available, and so research into the compromise of these devices can be done without ever needing to have one in front of you.
[53:07.970 --> 53:18.030]  So if anyone's interested in any further reading, I've compiled a list of resources that I found particularly useful in constructing this talk. So this would be a great place to start.
[53:18.030 --> 53:22.690]  Here we've got the obligatory image references, just so that no one shouts at me.
[53:22.890 --> 53:29.090]  And finally, thank you to Cyberus for allowing me the time and resources to put this presentation together.
[53:29.090 --> 53:34.590]  In particular, to Mark Crowther, Catherine Fair, and Ian Lonsborough for their guidance and encouragement.
[53:34.670 --> 53:39.110]  And to DefCon Crypto and Privacy Village for providing such a stellar platform.
[53:39.110 --> 53:43.150]  And finally, and most importantly, to you all for listening. So thank you very much.
[53:43.150 --> 53:46.350]  If you've got any questions, please feel free to reach out.
[53:53.190 --> 54:00.530]  All right. Thank you to Imran Shaheem for his talk that has just wrapped up, entitled Quantum Computers and Cryptography.
[54:00.530 --> 54:08.430]  We have Imran here for a live Q&A, so please continue putting any questions you have in the Discord CPV Q&A channel. You can find the link below.
[54:08.750 --> 54:12.590]  Let's get started off with... we have a few questions queued up already.
[54:12.690 --> 54:21.270]  Good morning, Imran. So our first question is, where can we get that reference slide you mentioned? Some folks would like to read more about BB84.
[54:21.270 --> 54:30.290]  Yep, absolutely. So I do believe it flashed very briefly on the screen during the presentation, but I appreciate it probably wasn't on for very long at all.
[54:30.510 --> 54:40.090]  I'll probably chuck it onto, I don't know, LinkedIn or Twitter or I'll link to it somewhere and I'll make sure it's available out there for everyone.
[54:40.330 --> 54:46.650]  But worst case scenarios, you can always go back and just pause that, that reframe where it's on there.
[54:46.650 --> 54:54.690]  OK, wonderful. So next question. Have any of these attacks been demonstrated in real life or are these still theoretical?
[54:54.930 --> 55:05.370]  So it depends on what you mean by real life. So they have been done with real physical components.
[55:05.370 --> 55:16.270]  So the light injection attack, for example, there is a paper on it where they created a quantum analogous setup and attacked it using physical systems.
[55:16.270 --> 55:25.910]  Whether actual commercial devices are exploitable and these vulnerabilities exist within them.
[55:25.910 --> 55:33.950]  I don't think if you kind of spent millions creating a device, you'd shout about the vulnerabilities and you'd probably try and fix it pretty sharpish.
[55:34.310 --> 55:40.010]  So I couldn't tell you whether the commercially available devices have any of these vulnerabilities in it.
[55:40.010 --> 55:46.790]  But certainly physical quantum key distribution systems have been tested and proven to be exploitable.
[55:48.310 --> 56:02.290]  Gotcha. OK, so next question. If quantum crypto requires specialized hardware on both ends, then how is it better than requiring synchronized hardware one time pads on each end, given that one time pads are cheaper to produce?
[56:02.290 --> 56:12.770]  Right. Yeah. So that's an absolutely fair point. I'd say that one advantage QKV has is when implemented properly,
[56:12.770 --> 56:22.550]  when those vulnerabilities we just discussed aren't there within the system, it intrinsically protects against man-in-the-middle attacks.
[56:22.730 --> 56:30.350]  It's theoretically impossible for an eavesdropper to be able to listen into the communication and enumerate the key.
[56:30.350 --> 56:42.490]  On top of that, whilst it's quite expensive at the moment, these QKV devices, they shouldn't always be as prohibitively expensive as they are now.
[56:42.490 --> 56:48.370]  Like I mentioned in the talk, we're literally dealing with the cutting edge of cryptography.
[56:48.370 --> 56:59.150]  And as this becomes better and better developed, we will have cheaper systems and there will be a bunch of different applications with quantum cryptography.
[56:59.150 --> 57:09.090]  Key distribution being just one very narrow aspect, admittedly the most well-developed at the moment, but one very particular part of quantum cryptography as a whole.
[57:09.090 --> 57:22.930]  But I would agree that at the moment, if you were looking for a cryptography kind of solution, I would definitely bear more towards a classical solution than a quantum one.
[57:22.950 --> 57:27.630]  This is more what's coming as opposed to what's currently here.
[57:28.190 --> 57:38.890]  Great. Quantum computing makes the hard math of RSA easy. So classic symmetric key distribution by asymmetric is broken. QKV can solve that.
[57:38.890 --> 57:44.890]  But what about some of the other uses of asymmetric encryption, like authentication and digital signatures? What's the quantum safe version of those?
[57:44.890 --> 57:48.130]  And this will be our last question. We can take additional questions on the Discord.
[57:48.310 --> 57:52.430]  Sure. Yeah, I'd be happy to stick around on Discord and answer any other questions that pop up.
[57:52.430 --> 58:01.910]  But to answer this question, I would say, as I mentioned, quantum key distribution is the best developed branch of quantum cryptography.
[58:01.910 --> 58:07.270]  It's certainly not the only one. And entity authentication, digital signatures, these are things that are being researched.
[58:07.270 --> 58:18.630]  But I would say the lack of maturity in the field right now kind of leaves us without a quantum safe alternative in kind of the realm of quantum cryptography.
[58:34.870 --> 58:45.430]  Wonderful. All right. Well, thank you again, Enron. This is a great talk, great Q&A. Take care and enjoy the rest of DEF CON.
[58:45.430 --> 58:47.050]  Thank you very much. Thank you.
[58:47.050 --> 58:48.110]  All right.
